a
/
code-server
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

refactor: update login logic with new async hashing 

This adds the proper await logic for the hashing of passwords.
This commit is contained in:
Joe Previte 2021-06-02 13:11:01 -07:00
parent fd3cb6cfa0
commit fcc3f0d951
No known key found for this signature in database
GPG Key ID: 2C91590C6B742C24
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/node/routes/login.ts
View File

@ -77,7 +77,12 @@ router.post("/", async (req, res) => {
? isHashLegacyMatch(req.body.password, req.args["hashed-password"]) ? isHashLegacyMatch(req.body.password, req.args["hashed-password"])
: req.args.password && safeCompare(req.body.password, req.args.password) : req.args.password && safeCompare(req.body.password, req.args.password)
) { ) {
const hashedPassword = req.args["hashed-password"] ? hashLegacy(req.body.password) : hash(req.body.password) // NOTE@jsjoeio:
// We store the hashed password as a cookie. In order to be backwards-comptabile for the folks
// using sha256 (the original hashing algorithm), we need to check the hashed-password in the req.args
// TODO all of this logic should be cleaned up honestly. The current implementation only checks for a hashed-password
// but doesn't check which algorithm they are using.
const hashedPassword = req.args["hashed-password"] ? hashLegacy(req.body.password) : await hash(req.body.password)
// The hash does not add any actual security but we do it for // The hash does not add any actual security but we do it for
// obfuscation purposes (and as a side effect it handles escaping). // obfuscation purposes (and as a side effect it handles escaping).
res.cookie(Cookie.Key, hashedPassword, { res.cookie(Cookie.Key, hashedPassword, {